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The Applicant and the undersigned thank Examiner Nalven for his careful review of this 
application and especially for his time and consideration given during the telephonic interview of 
May 18, 2006. A summary of this telephonic interview is provided below. 

Claims 1-57 have been rejected by the Examiner. Upon entry of this amendment, Claims 
2, 5, 15, 41, and 51 remain cancelled while Claims 1, 3-4, 6-14, 16-40, 42-50, and 52-57 remain 
pending in this application. The six independent claims are Claims 1, 14, 25, 37, 50, and 56. 

Consideration of the present application is respectfully requested in light of the above 
claim amendments to the application, the telephonic interview, and in view of the following 
remarks, 

Summary of Telephonic Interview of May 18. 2006 

The Applicant and the undersigned thank Examiner Nalven for his time and consideration 
given during the telephonic interview of May 18, 2006. During this telephonic interview, a 
proposed amendment to the claims was discussed. The Applicant provided the proposed 
amendment to the claims in advance of the interview. 

The Applicant's representative explained that the invention as recited in the amended 
independent claims evaluates contextual information related to a data signature by comparing the 
contextual information and data signature to a table that comprises contextual information, data 
signatures, and alert condition values. The invention then assigns an alert condition value based 
on the comparison of the contextual information and data signature to data in the table. 

Meanwhile, the prior art, such as U.S. Patent No. 6,301,668 issued in the name of 
Gleichauf et al. (hereinafter, the "Gleichauf reference") does not look for data signatures or for 
any context of data signatures as recited in the amended independent claims. Examiner Nalven 
acknowledged these deficiencies of the Gleichauf reference in his Final Office Action of May 
13, 2005 and to overcome them, the Examiner relied upon U.S. Patent No- 6,279,113 issued in 
the name of Vaidya (hereinafter the <0 Vaidya reference). 

However, the Vaidya reference as well as the Gleichauf reference do not provide any 
teaching of a table that comprises contextual information, data signatures, and alert condition 
values. Further, both the Vaidya reference and Gleichauf references also do not provide any 
teaching of comparing the contextual information and data signature with the table and assigning 
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an alert condition value based on the comparison of the contextual information and data 
signature to data in the table. 

To address the table of contextual information that is missing from both the Vaidya and 
Gleichauf references, Examiner Nalven has relied upon the table illustrated in Figure 31 of U.S. 
Pat. No. 6,460,141 issued in the name of Olden (hereinafter, the "Olden reference"). The 
Applicant's representative pointed out that the Olden reference does not provide the same 
elements required in the contextual information table as set forth in the amended claims. 
Specifically, the Applicant's representative pointed out that the table illustrated in Figure 31 of 
the Olden reference does not provide any teaching of the following: (1) an alert condition value 
assigned to each data signature based on each data signature itself and contextual information 
associated with the data signature, (2) the contextual information comprising at least one of an 
application layer data field type used to encapsulate the data signature and an application layer 
protocol type used to transmit the data signature, and (3) the alert condition value indicating a 
security risk level relative to different data signatures and relative to other identical data 
signatures associated with different contextual information. 

The Applicant's representative explained to Examiner Nalven that the Olden reference is 
concerned with restricting access to secure information. Meanwhile, the Applicant's technology 
can determine a likelihood that a target computer is under a computer attack. 

After listening to the Applicant's representative's discussion of the amended claims, 
Examiner Nalven suggested that the Applicant define contextual information earlier in the 
independent patent claims than was provided in the draft amendment. The Applicants have 
adopted this helpful suggestion in this paper, 

Examiner Nalven Stated that these amendments would be considered when a formal 
response is submitted. Examiner Nalven believed that these amendments would likely overcome 
the prior art of record but he indicated that an update search would be conducted. 

The Applicant and the undersigned request Examiner Nalven to review this interview 
summary and to approve it by writing "Interview Record OK" along with his initials and the date 
next to this summary in the margin as discussed in MPEP § 713.04, p. 700-202. 
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Claim Refections Under 35 U.S.C. SS 103 

The Examiner rejected Claims 1, 3-4, 6, 14, 18-21, 25-26, 32, 34, 37-40, 42, 50, and 54- 
56 are rejected under 35 U.S-C § 103(a) as being unpatentable over the Gleichauf reference in 
view of the Vaidya reference, and farther in view of the Olden reference. The Examiner rejected 
Claims 7-8, 10-12, 22, 27, 29-31, 43-44, 46-48, and 57 under 35 U.S.C. § 103(a) as being 
unpatentable over the Gleichauf, Vaidya, and Olden references and further in view of U.S. Pat. 
No. 5,991,881 issued in the name of Conklin et al. (hereinafter, the "Conklin reference"). 

The Examiner rejected Claims 9, 23, and 45 under 35 U.S.C. § 103(a) as being 
unpatentable over the Gleichauf reference, the Vaidya reference, the Olden reference, the 
Conklin reference, and further in view of U.S. Patent Application Publication No. 2002/0083331, 
published in the name of Krumel (hereinafter, the "Krumel reference"). The Examiner rejected 
Claims 13 and 49 under 35 U.S.C. § 103(a) as being unpatentable over the Gleichauf reference, 
the Vaidya reference, the Olden reference, the Conklin reference, and further in view of a Printed 
Publication entitled, "Detecting Backdoors," authored by Zhang et al. (hereinafter, the "Zhang 
reference"). 

The Examiner rejected Claims 16, 35, and 52 under 35 U.S.C. § 103(a) as being 
unpatentable over the Gleichauf reference, the Vaidya reference, the Olden reference, and further 
in view of U.S. Patent No. 6,301,668 issued in the name of Ji et al. (hereinafter, the "Ji 
reference")- The Examiner rejected Claims 17 and 53 under 35 U.S.C. § 103(a) as being 
unpatentable over the Gleichauf reference, the Vaidya reference, the Olden reference, the Ji 
reference, and further in view of a Printed Publication entitled, "Security Reality Check," 
authored by Farrow (hereinafter, the "Farrow reference"). 

The Examiner rejected Claim 24 under 35 U.S.C. § 103(a) as being unpatentable over the 
Gleichauf reference, the Vaidya reference, the Olden reference, the Conklin reference, the 
Krumel reference, and further in view of the Zhang reference. The Examiner rejected Claim 28 
under 35 U.S.C. § 103(a) as being unpatentable over the Gleichauf reference, the Vaidya 
reference, the Conklin reference, and further in view of the U.S. Patent No. 6,275,942 issued in 
the name of Bernhard et al (hereinafter, the "Bemhard reference"). The Examiner rejected 
Claims 33 and 36 under 35 U.S.C § 103(a) as being unpatentable over the Gleichauf reference in 
view of the Vaidya, Olden and Rrumel references. 



PAGE 21/43 * RCVD AT 5J25/2006 1:12:15 PM [Eastern DayBght Time] * SVR:USPTO-EFXRF-2/8 * DNIS:2738300 * CSID:404 572 5134* DURATION (mm-ss):13-12 



MAY 25 2006 13:21 FR KING AND SPALDING 404 572 5134 TO 555 1 B054568 1 0503 P 



Application Serial No. 09/874,574 



The Applicant respectfully offers remarks to traverse these pending rejections. The 
Applicant will address each independent claim separately as the Applicant believes that each 
independent claim is separately patentable over the prior art of record. 



Independent Claim 1 

The rejection of Claim 1 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Olden, Conklin, Krumel, Zhang, Ji, Farrow, and Bernhard references, 
individually or in view of each other, fail to describe, teach, or suggest the combination of: (1) 
identifying a plurality of data signatures relevant to computer security; (2) designating an alert 
condition value to each data signature based on (3) each data signature itself and (4) contextual 
information associated with the data signature, (5) the contextual information comprising at least 
one of (6a) an application layer data field type used to encapsulate the data signature and (6b) an 
application layer protocol type used to transmit the data signature, (7) the alert condition value 
indicating a security risk level (S) relative to different data signatures and (9) relative to other 
identical data signatures associated with different contextual information; (10) creating a table 
comprising contextual information, the data signatures, and the alert condition values; (11) 
detecting a data signature by evaluating communications at an application layer level between a 
target and a suspect; (12) correlating said data signature with an application layer fingerprint of 
the target to determine to what extent said target is vulnerable to said data signature; (13) 
evaluating contextual information related to the data signature by comparing the contextual 
information and the data signature to the table (14) in order to determine a likelihood that said 
target is under attack; and (15) assigning an alert condition value to the data signature based on 
(16) the comparison of the contextual information and data signature to data in the table, as 
recited in amended independent Claim 1. 



Su pport for Contextual Information Table 

The Applicant respectfully submits that the additional elements of the contextual 
information table described in the amended independent claims are fully supported by the 
original disclosure. Specifically, the contextual information table recited in the independent 
claims is illustrated in original Figure 4 reproduced below. The description of Figure 4 is found 
in paragraph [0044] of the original application text on page 16. 
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Contextual Information for Data Signature Evaluation 
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The Gleichauf Reference 

The Gleichauf reference generally describes a system for adaptive network security using 
network vulnerability assessment. The network environment can comprise devices that form an 
internal network, protection for the internal network, and an external network. The internal 
network, indicated generally at 10, can comprise a plurality of workstations 12 coupled to a 
network backbone 14. Network backbone 14 can comprise, for example, an Ethernet, FDDI, 
token ring, or other type of network backbone. Protection for internal network 10 can be 
provided by firewall 16 and a router 18 which are coupled to netwoik backbone 14. Router 18 
serves as a gateway between internal network 10 and an external network 30. External network 
30 can be, for example, the Internet or other public network. Firewall 16 can serve to limit 
external access to resources in internal network 10 and protect these internal resources from 
unauthorized use. See Figure 2 of the Gleichauf reference reproduced below, and in column 4, 
lines 40-58. 
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Internal network 10 of the Gleichauf reference further comprises a network security 
system 20 coupled to network backbone 14. The network security system 20 can include a scan 
engine 22 and a protocol engine 24 coupled to network backbone 14. A signature engine 26 is 
coupled to protocol engine 24, The scan engine 22 is further coupled to network map 28. The 
signature engine 26 is coupled to attack signatures 30. A priority engine 32 is coupled to 
network map 28, protocol engine 24 and signature engine 26. The protocol engine 24 and 
signature engine 26 are each also coupled to a storage 36. See the Gleichauf reference, column 
4, lines 58-68. 

The Gleichauf reference explains that the protocol engine 24 performs a plurality of 
protocol analyses upon monitored traffic on network backbone 14 in order to detect attacks upon 
the network. Attacks upon the netwoik include unauthorized accesses, policy violations, and 
patterns of misuse. The protocol engine 24 can perform the following protocol analyses upon 
monitored traffic on network backbone 14: checksum verification (IP, TCP, UDP, ICMP, etc.), 
IP fragment reassembly, TCP stream reassembly, protocol verification (such as insuring the IP 
header length is correct and the TCP data gram is not truncated), and timeout calculations. See 
the Gleichauf reference, column 6, lines 24-37. 

The signature engine 26 of the Gleichauf reference is coupled to protocol engine 24 and 
can perform further analysis tasks in order to detect attacks upon network backbone 14. 
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Signature engine 26 compares monitored traffic with attack signatures 30. Attack signatures 30 
can comprise, for example, a rules-based hierarchy of traffic signatures of known policy 
violations. Signature engine 26 can compare packets from the network traffic with such attack 
signatures 30 such that policy violations can be discovered. See the Gleichauf reference, column 
6, lines 38-45. 

The Gleichauf Reference Does Not Use Contextual Information 

Opposite to the protocol engine 24 and signature engine 26 of the Gleichauf reference, 
the invention described by amended independent Claim 1 monitors communications at an 
applications layer instead of the network and transport layers. Further, the invention as recited in 
amended independent Claim 1 evaluates data signatures in combination with contextual 
information related to data signatures. The contextual information can comprise at least one of 
an application layer data field type used to encapsulate the data signature and an application 
layer protocol type used to transmit the data signature. 

The Gleichauf reference evaluates protocols separately from its data signatures. That is, 
the Gleichauf reference uses a protocol engine 24 to evaluate protocol information separately 
from a signature engine 26. The Gleichauf signature engine 26 only monitors network level 
communications traffic for text that matches certain signatures. 

Additionally, the Gleichauf reference also does not provide any teaching of a table that 
comprises contextual information, data signatures, and alert condition values. The Gleichauf 
reference also does not provide any teaching of comparing the contextual information and data 
signature with the table and assigning an alert condition value based on the comparison of the 
contextual information and data signature to data in the table. The Gleichauf reference further 
fails to describe alert condition values indicating a security risk level relative to different data 
signatures and relative to other identical data signatures associated with different contextual 
information- 

The Vaidva Reference 

The Examiner admits that the Gleichauf signature engine 26 only monitors network level 
communications traffic for text that matches certain signatures and that the Gleichauf reference 
does not use contextual information. To make up for these deficiencies, the Examiner relies 
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upon the Vaidya reference, See Column 4, lines 27-31 of the Vaidya reference that describes 
how this system monitors communications for security at all seven layers. 

The Vaidya reference also describes how data transmitted over the network is monitored 
by a data monitoring device using data collectors (10) to detect data addressed to the network 
objects located in segments (14, 16, 18). Upon detecting data addressed to one of the network 
objects, a set of signature profiles corresponding to that network object of a segment (14, 16, 18) 
is accessed from the signature profile memory (39) of a data collector (10) based on the 
association data. At least one attack signature profile from the set of profiles is processed by the 
processor (36) to determine if the data addressed to the network object of a particular segment 
(14, 16, 18) is associated with a network intrusion. See column 3, lines 40-47 of the Vaidya 
reference; see also Figure 1 of the Vaidya reference below that describes the overall system that 
includes data collectors (10) and network objects (14, 16, 18). 
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In a preferred embodiment, each data collector (10) includes a data monitoring device, an 
attack signature profile memory (39), and a processor (36). Data collectors (10) are deployed at 
multiple sites in different segments (14, 16, 18) of the network A network configuration 
generator (28) assigns sets of attack signature profiles to each data collector (10) based on the 
network objects located on the network segment (14, 16, 18) on which each data collector (10) is 
deployed, A particular data collector (10) monitors network data only for data addressed to the 
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network objects located on that data collector's network segment (14, 16, 18). See Vaidya 
reference, column 3, lines 48-60. 
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By distributing the network monitoring responsibilities among multiple data collectors 
(10), high performance of the dynamic signature-based network IDS is maintained. Instead of a 
single data collector (10) monitoring the entire network data for network intrusion attempts, each 
data collector (10) only monitors a network segment (14, 16, 18) on which it is located or a point 
of entry from an open network, such as the Internet. See column 3, lines 48-65 of the Vaidya 
reference; see also Figure 2 of the Vaidya reference that illustrates further details of the central 
data repository (12) and each data collector (10). See Vaidya reference, column 3, lines 60-64. 

The Vaidya reference, like the Gleichauf reference, does not provide any teaching of a 
table that comprises contextual information, data signatures, and alert condition values. Further, 
the Vaidya reference also does not provide any teaching of comparing the contextual information 
and data signature with the table and assigning an alert condition value based on the comparison 
of the contextual information and data signature to data in the table. The Vaidya reference further 
fails to describe alert condition values indicating a security risk level relative to different data 
signatures and relative to other identical data signatures associated with different contextual 
information. 
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The Olden Reference 

The Examiner admits that the combination of the Gleichauf and Vaidya references alone 
do not teach the claimed combination of elements recited in each of the independent claims. 
Specifically, the Examiner admits that these two references do not provide any teaching of a 
contextual information table. To make up for this deficiency of the Gleichauf and Vaidya 
references, the Examiner relies upon the Olden reference. 

The Olden reference describes a security and access management system that provides 
for unified access management to address the specific problems facing the deployment of 
security for Web and non-Web environments. See Olden Abstract. The Examiner refers the 
Applicant to Figure 31 of the Olden reference (reproduced below) and alleges that this Figure 
illustrates a contextual information table as recited in Applicant's independent claims. 
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The Olden reference explains that Figure 31 is a panel that is displayed by the security 
and access management system to monitor attempts of unauthorized access. See Olden 
reference, brief description of the drawings. The Olden reference further explains that the panel 
of Figure 31 is for setting policies. Specifically, the policies panel maintains the list of attacks to 
scan for in which this list is preferably table-based, displaying the attack types- Each attack type 
preferably includes: Attack name, Event type, Frequency, and Action(s) to be taken. When 
double clicking on one of these actions, an Edit Attack dialoe window will aooear with the 
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information about the attack loaded in. At the bottom of the policies panel are buttons for: Add, 
Modify, Delete. 

One of ordinary skill in the art recognizes that the Olden reference does not provide any 
teaching of a contextual information table that is described by each of the amended independent 
claims. The Olden reference does not provide any teaching of creating a table comprising 
contextual information, data signatures, and alert condition values in which the contextual 
information comprises at least one of an application layer data field type used to encapsulate the 
data signature and an application layer protocol type used to transmit the data signature; and the 
alert condition values indicate a security risk level relative to different data signatures and 
relative to other identical data signatures associated with different contextual information. 



The Conklin Reference 

The Examiner admits that the Gleichauf reference fails to teach listening for a response to 
a data signature from a target. To make up for this deficiency, the Examiner relies upon the 
Conklin reference. 

The Conklin reference describes systematic monitoring, intrusion identification, 
notification, and tracking of unauthorized activities, such as methods or systems used by 
"hackers" to intrude computer networks. The Conklin reference teaches a star configuration of 
two Ethernet network segments 'B' and 'C and a terminal network connection leading to a 
network surveillance device for a computer network as illustrated in Figure 2. The system of the 
Conklin reference broadcasts communications between any two computers on an Ethernet 
segment that is monitored by an out-of-line surveillance device. See Conklin reference, column 
2, lines 58-66. 
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The Conklin reference explains that its intrusion detection may incorporate algorithms or 
patterns to detect attempted intrusions or intrusions on the network. As each packet of network 
data is passed from the network observation function> the intrusion detection function examines 
the data in comparison to a series of predefined or learned patterns which are pre-stored or 
developed from data received from the network. 

In the Conklin reference, the network data is compared to a database of known patterns. 
If the collected data matches the databases stored data, individually or collectively, then the 
network surveillance system identifies the network data as a reportable activity and the network 
surveillance system components are activated and a data channel is opened between the network 
observation function and the evidence logging function. 

Similar to the Gleichauf reference, the Conklin reference does not provide any teaching 
of evaluating data signatures at an applications layer in combination with contextual information 
related to data signatures, where the contextual information can comprise at least one of an 
application layer data field type used to encapsulate the data signature and an application layer 
protocol type used to transmit the data signature. The Conklin reference, like the Gleichauf 
reference, only evaluates data signatures alone without any context. The Conklin reference also 
does not provide any teaching of comparing contextual information and a data signature with a 
table and assigning an alert condition value based on the comparison of the contextual 
information and data signature to data in the table. The Conklin reference further fails to 
describe alert condition values indicating a security risk level relative to different data signatures 
and relative to other identical data signatures associated with different contextual information. 

The Krumel Reference 

The Examiner admits that the Gleichauf reference fails to teach determining if a packet is 
an unknown command. To make up for this deficiency, the Examiner relies upon the Krumel 
reference. 

The Krumel reference has a data protection system 1 that is coupled through a port to 
router 2 (or cable modem or other preferably broadband, persistent network connection access 
device), which is linked through a broadband connection to other computer systems and 
networks, exemplified by Internet 8 and Internet Service Provider (ISP) 10. Packets of data are 
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transmitted from an ISP, such as ISP 10, via Internet 8 to router 2. The packets are transmitted to 
data protection system 1, which analyzes the packets in "real time" and without buffering of the 
packets, while at the same time beginning the process of transmitting the packet to the internal 
network(s) in compliance with the timing requirements imposed by the Ethernet or other network 
standards and protocols. See Figure 1 of the Krumel reference reproduced below. 



If a packet of data in the Krumel system satisfies the criteria of the rules-based filtering 
performed within data protection system 1, which is executed in a manner to be completed by the 
time the entire packet has been received by data protection system 1, then it is allowed to pass to 
hub 6 as a valid packet, which may then relay the cleared packet to computers 4a* 4b, 4c, etc. on 
the internal network. If a packet of data fails to meet the filtering criteria, then it is not allowed 
to pass as a valid packet and is "junked." Without the intermediate positioning of data protection 
system 1, the packets would be transmitted directly to unprotected hub 6, thereby exposing 
computers 4a, 4b and 4c to security risks. Similar filtering is performed on packets that are to be 
transmitted from computers 4a, 4b, and 4c to Internet 8. See the Krumel reference, page 4, 
paragraphs [0067-0068]. 

The Krumel reference explains how TCP (transmission control protocol) and UDP (user 
datagram protocol) packets are evaluated in parallel where TCP and UDP are host-to-host 
protocols located in the transport layer of the protocol stack. See Krumel reference, page 8, 
paragraph [0092). 

Meanwhile, opposite to the Krumel reference, the invention as recited in amended 
independent Claim 1 evaluates data signatures at an applications layer in combination with 
contextual information related to data signatures, where the contextual information can comprise 
at least one of an application layer data fietd type used to encapsulate the data signature and an 
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application layer protocol type used to transmit the data signature. The Krumel reference, like 
the Gleichauf reference, only evaluates data signatures alone without any context and without 
using a table comprising contextual information. The Krumel reference further fails to describe 
alert condition values indicating a security risk level relative to different data signatures and 
relative to other identical data signatures associated with different contextual information. 

The ZhatXK Reference 

The Examiner admits that the Gleichauf and Conklin references fail to teach suspicious 
behavior comprising the transmitting of a root shell prompt to a suspect node. To make up for 
this deficiency, the Examiner relies upon the Zhang reference. 

The Zhang reference generally describes protocol specific algorithms that look for 
signatures particular based on different protocols. Specifically, the Zhang reference describes 
algorithms that find backdoors" in a flood of legitimate network traffic See Section 6. - 
Summary of the Zhang reference. 

The Zhang reference does not provide any teaching of evaluating data signatures at an 
applications layer in combination with contextual information related to data signatures, where 
the contextual information can comprise at least one of an application layer data field type used 
to encapsulate the data signature and an application layer protocol type used to transmit the data 
signature. The Zhang reference, like the Gleichauf reference, only evaluates data signatures 
alone without any context. The Zhang reference further fails to describe alert condition values 
indicating a security risk level relative to different data signatures and relative to other identical 
data signatures associated with different contextual information. 

The Applicant also notes that the Zhang reference may not constitute enabling prior art 
because of its high-level description or lack of enabling detail for its algorithms. But even if the 
Zhang reference was enabling prior art, it still would not teach evaluating data signatures at an 
applications layer in combination with contextual information related to data signatures 
contained in a table as recited in amended independent Claim 1. 

The Ji Reference 

The Examiner admits that the Gleichauf reference fails to teach a protocol comprising 
HTTP orotocol. To make ud for this deficiency, the Examiner relies uDon the Ji reference. 
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The Ji reference describes a corporate environment 202 that includes a host computer 204 
and host computer 206, which are connected to a proxy server 208, representing in this example 
an HTTP proxy server that is interposed between the distributed computer network 1 12 (such as 
the internet) and the host computers of corporate environment 202. The host computer 204 
represents any computer that is capable of requesting and receiving data transfers from 
distributed computer network 112 and may be implemented using any of the suitable operating 
systems such as Windows. See Figure 2 of the Ji reference reproduced below. 




□ 





23Q 












^oo»r Proxy <&«rv*r 


! 



The host computer 204 of the Ji system may access distributed computer network 112 via 
a commercial browser such as Internet Explorer by Microsoft Corporation. The browser 210 
within host computer 204 is set to request an auto-config script, i.e., a set of codes that 
automatically starts upon the occurrence of some predefined event, from proxy server 208 when 
browser 210 is started up. See the Ji reference, column 5, lines 21-56. 

With the auto-config script, a distributed virus scanning module or engine at each host 
computer 204 is preferably created and/or updated each time a new browser threat is activated 
and/or an initial HTTP request is issued therefrom. The distributed virus scan engine at each 
host computer 204 can be created from codes/data centrally maintained at one or more servers. 
The distributed virus scan engine preferably employs the information contained in virus 



PAGE 33/43 1 RCVD AT 5/25/2008 1:12:15 PM [Eastern Daylight Tune] * SVR:USPTO«EFXRF-2/8 1 DNIS:2738300 * CSID;404 572 5134 8 DURATION (mm-$s):13»12 



MAY 25 200G 13:25 FR KING AND SPALDING 404 572 5134 TO 555 1 B054568 1 0503 P. 



Application Serial No. 09/874,574 

definition files maintained at one or more servers on the LAN in order to perform its own virus 
scan at its host computer. In this manner, the advantages associated with centrally managed 
vims scanning solutions (e.g., ease of maintenance and updates as there are fewer servers 
involved) are achieved while the disadvantages (e.g., periodic manual updating and maintenance 
at each host computer) are avoided. See the Ji reference, column 5, lines 5-20. 

The Ji reference, like the Gleichauf reference, does not provide any teaching of 
evaluating data signatures at an applications layer in combination with contextual information 
related to data signatures, where the contextual information can comprise at least one of an 
application layer data field type used to encapsulate the data signature and an application layer 
protocol type used to transmit the data signature. The Ji reference, like the Gleichauf reference, 
only evaluates data signatures alone without any context and without using a table comprising 
contextual information. The Ji reference further fails to describe alert condition values indicating 
a security risk level relative to different data signatures and relative to other identical data 
signatures associated with different contextual information. 

The Farrow Reference 

The Examiner admits that the Gleichauf and Ji references fail to teach detecting a data 
signature of "cgi-bin/phf." To make up for this deficiency, the Examiner relies upon the Farrow 
reference. 

The Farrow reference is a product review article that describes various intrusion detection 
systems that were available in July 1999. The Farrow reference mentions the "cgi-bin/phf ' 
string in a section of the article that addresses stealth attacks. The authors of the article tested 
several IDS products with this string. 

The Farrow reference, like the Gleichauf reference, does not provide any teaching of 
evaluating data signatures at an applications layer in combination with contextual information 
related to data signatures, where the contextual information can comprise at least one of an 
application layer data field type used to encapsulate the data signature and an application layer 
protocol type used to transmit the data signature. The Farrow reference, like the Gleichauf 
reference, only evaluates data signatures alone without any context and without a table 
comprising contextual information. The Farrow reference further fails to describe alert condition 
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values indicating a security risk level relative to different data signatures and relative to other 
identical data signatures associated with different contextual information. 

The Applicant also notes that the Farrow reference may not constitute enabling prior art 
because of its high-level description of products in the market during July 1999, But even if the 
Farrow reference was enabling prior art, it still would not teach evaluating data signatures at an 
applications layer in combination with contextual information related to data signatures in a table 
as recited in amended independent Claim 1 . 



The Bernhard Reference 

The Examiner admits that the Gleichauf and Conklin references fail to teach the data 
signature being a passwd in a context where filenames are likely to appear To make up for this 
deficiency, the Examiner relies upon the Bernhard reference. 

The Bernhard reference describes a computer network 100 that includes a second line 
firewall 106 connected to a LAN server 112. The computer network 100 also includes a third 
firewall 108, a Kerberos server 110, an intranet Web server 114, a plurality of data processing 
systems (i.e., workstations) H6a-n, and an Internet Web server 118. All of these network 
elements connected to LAN 101 are monitored for computer misuse using an intrusion detection 
system (JDS) software 120. See Figure 1 of the Bernhard reference blow. 




WEBSERVER 
FOR WEB 
AM) FTP 



FIG. 2 
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The IDS software 120 of the Bemhard reference may reside and be centrally configured 
and monitored from a sysadmin workstation 122. The EDS software 120, as indicated in FIG. 1, 
may also reside on one or more of the network elements (e,g„ data processing systems 116) as 
well as at various points within the LAN 101 between network elements (thereby acting as 
network-level detectors). The IDS software 120 may operate on any number of principles, such 
as the one specified in U.S. Pat. No. 5,557,742 issued to Smaha et aL The ARMs of the 
Bemhard reference operate with the particular misuse engine of the IDS software 120 selected 
and installed by the sysadmin of the computer network 100 in a "plug and play" manner. Li 
other words, the ARMs reside in the IDS software 120. See the Bemhard reference, column 5 7 
lines 1-25 

The Bemhard reference explains that its product provides for automatic response to 
computer system misuse using active response modules (ARMs). The Bemhard reference 
describes steps of defining a plurality of ARMs to process instances of computer misuse, 
receiving an instance of misuse from an intrusion detection system (the instance of the misuse 
having been detected by the misuse engine) and identifying ARMs associated with and activated 
for the detected computer misuse. The method then, for each of the identified ARMs, collects 
pertinent data from the misuse engine and invokes each of the identified ARMs with the 
pertinent data. See the Bemhard reference, column 4, lines 26-39, 

As noted above, the Bemhard reference describes what actions are taken after a security 
event is detected. The Bemhard reference does not relate or describe how security events are 
detected as evidenced above by the admission that the IDS software 120 may operate on any 
number of principles, such as the one specified in U.S. Pat. No. 5,557,742 issued to Smaha et al. 
It follows that the Bernard reference, like the Gleichauf reference, does not provide any teaching 
of evaluating data signatures at an applications layer in combination with contextual information 
related to data signatures that are contained in a table, where the contextual information can 
comprise at least one of an application layer data field type used to encapsulate the data signature 
and an application layer protocol type used to transmit the data signature. The Bemhard 
reference farther fails to describe alert condition values indicating a security risk level relative to 
different data signatures and relative to other identical data signatures associated with different 
contextual information. 
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Conclusion Regarding Independent Claim 1 

In light of the differences between Claim 1 and the Gleichauf, Vaidya, Olden, Conklin, 
Krumel, Zhang, Ji, Farrow, and Bemhard references mentioned above, one of ordinary skill in 
the art recognizes that the combination proposed by the Examiner cannot anticipate nor render 
obvious the recitations as set forth in amended independent Claim 1. Accordingly, 
reconsideration and withdrawal of this rejection of Claim 1 are respectfully requested. 

THE CLAIMED INVENTION AS A WHOLE MUST BE CONSIDERED 

The Applicant respectfully submits that the Examiner must evaluate the claimed 

combination as a whole as opposed to a defining specific isolated computer elements of the prior 

art which do not contemplate the specific design of the Applicants' claimed invention. The 

Applicants respectfully submit that MJP.E.P. section 2141.02, second paragraph (Rev. 3, August 

2005), states the following: 

"In determining the differences between the prior art and the 
claims, the question under 35 U.S.C. § 103 is not whether the 
differences themselves would have been obvious, but whether the 
daimed invention as a whole would have been obvious. Stratoflex, 
Inc. v. Aeroquip Corp., 713 F.2d 1530, 218 USPQ 871 (Fed. Cir. 
1983)." [Emphasis Supplied.] 

Applicant respectfully submits that the Examiner is over looking the specific design of 
Applicants' invention and the design presented by the prior art references. For example, as noted 
during the telephonic interview of May 18, 2006, the Applicant's claimed invention correlates a 
data signature with an application layer fingerprint of a target to determine to what extent the 
target is vulnerable to the data signature. This vulnerability assessment is based on the 
comparison that is made to the contextual information table. 

Meanwhile, the Examiner has identified different computer elements of the prior art and 
combining them in a manner without reasonable motivation to do so. Even if the identifed 
computer elements were combinable, they do not contemplate a vulnerability assessment as 
recited in the amended independent claims. 
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Independent Claim 14 

The rejection of Claim 14 is respectfully traversed. It is respectfully submitted that the 
Gleichauf; Vaidya, Olden Conklin, Knimel, Zhang, Ji, Farrow, and Bernhard references, 
individually or in view of each other, fail to describe, teach, or suggest the combination of: (1) 
identifying a plurality of data signatures relevant to computer security; (2) designating an alert 
condition value to each data signature based on (3) each data signature itself and (4) contextual 
information associated with the data signature, (5) the contextual information comprising at least 
one of (5a) an application layer data field type used to encapsulate the data signature and (5b) an 
application layer protocol type used to transmit the data signature, (6) the alert condition value 
indicating a security risk level relative to different data signatures and (7) relative to other 
identical data signatures associated with different contextual information; (8) creating a table 
comprising data signatures, contextual information, and alert condition values; (9) identifying a 
data signature encapsulated in an application layer data field and directed at a target using an 
application layer protocol; (10) evaluating a context of the data signature by one of: (10a) 
reviewing the application layer data field type; (10b) reviewing the application layer protocol 
type; (10c) comparing the evaluated context of the data signature to the table; (11) determining 
whether said data signature poses a threat based on said context of said data signature; and (12) 
assigning an alert condition value to the data signature based on (13) the comparison of the 
context to data in the table, as recited in amended independent Claim 14. 

Similar to the analysis of independent Claim 1, the Examiner's proposed combination of 
references fails to address the specifics of evaluating a context of a data signature by comparing 
the data signature to a table comprising contextual information, as recited in amended 
independent Claim 14. 

In light of the differences between Claim 14 and the Gleichauf, Vaidya, Olden, Conklin, 
Krumel, Zhang, Ji, Farrow, and Bernhard references mentioned above, one of ordinary skill in 
the art recognizes that the combination proposed by the Examiner cannot anticipate or render 
obvious the recitations as set forth in amended independent Claim 14. Accordingly, 
reconsideration and withdrawal of this rejection of Claim 14 are respectfully requested. 
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Independent Claim 25 

The rejection of Claim 25 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Olden, Conklin, Krumel, Zhang, Ji, Farrow, and Bernhard references, 
individually or in view of each other, fail to describe, teach, or suggest the combination of: (1) 
identifying a plurality of data signatures relevant to computer security; (2) designating a relative 
alert condition value to each data signature based on (3) each data signature itself and (4) 
contextual information associated with the data signature, (5) the contextual information 
comprising at least one of (5a) an application layer data field type used to encapsulate the data 
signature and (5b) an application layer protocol type used to transmit the data signature, (6) the 
alert condition value indicating a security risk level relative to different data signatures and (7) 
relative to other identical data signatures associated with different contextual information; (8) 
creating a table comprising contextual information, the data signatures, and the relative alert 
condition values; (9) monitoring a plurality of data transmissions at an applications layer level 
between a suspect and a target to identify one or more data signatures, (10) said data 
transmissions indicating a current state of communication between said suspect and said target; 
(11) evaluating contextual information related to each data signature by comparing the 
contextual information and data signatures to the table; (12) evaluating a likelihood that said 
target is under attack based on (13) the contextual information of one or more data signatures of 
said transmissions and (14) said current state of communication; and (15) assigning a relative 
alert condition value to the data signature based on (16) the comparison of the contextual 
information to data in the table, as recited in amended independent Claim 25. 

Similar to the Examiner's analysis of independent Claim 1, the Examiner's proposed 
combination of references fails to address the specifics of evaluating a context of a data signature 
by comparing the data signature to a table comprising contextual information, as recited in 
amended independent Claim 25 . 

In light of the differences between Claim 25 and the Gleichauf, Vaidya, Olden, Conklin, 
Krumel, Zhang, Ji, Farrow, and Bernhard references mentioned above, one of ordinary skill in 
the art recognizes that the combination proposed by die Examiner cannot anticipate or render 
obvious the recitations as set forth in amended independent Claim 25. Accordingly, 
reconsideration and withdrawal of this rejection of Claim 25 are respectfully requested. 
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Independent Claim "Y7 

The rejection of Claim 37 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Olden, Conklin, Krumel, Zhang, Ji, Farrow, and Bemhard references, 
individually or in view of each other, fail to describe, teach, or suggest the combination of: (1) 
identifying a plurality of data signatures relevant to computer security, (2) designating a relative 
alert condition value to each data signature based on (3) each data signature itself and (4) 
contextual information associated with the data signature, (5) the contextual information 
comprising at least one of (5a) an application layer data field type used to encapsulate the data 
signature and (5b) an application layer protocol type used to transmit the data signature, (6) the 
relative alert condition value indicating a security risk level relative to different data signatures 
and (7) relative to other identical data signatures associated with different contextual 
information; (8) creating a table comprising contextual information, the data signatures, and the 
relative alert condition values; (9) detecting a data signature by evaluating communications at an 
application layer level between a target and a suspect; (10) correlating said data signature with a 
fingerprint of the target (11) to deterrnine to what extent said target is vulnerable to said data 
signature; and (12) evaluating contextual information related to the data signature by (13) 
comparing the contextual information and the data signature to the table in order to determine a 
likelihood that said target is under attack; and (14) assigning a relative alert condition value to 
the data signature based on the (15) comparison of the contextual information and data signature 
to data in the table, as recited in amended independent Claim 37. 

Similar to the analysis of independent Claim 1, the Examiner's proposed combination of 
references fails to address the specifics of evaluating a context of a data signature by comparing 
the data signature to a table comprising contextual information, as recited in amended 
independent Claim 37. 

to light of the differences between Claim 37 and the Gleichauf, Vaidya, Olden, Conklro, 
Krumel, Zhang, Ji, Farrow, and Bemhard references mentioned above, one of ordinary skill in 
the art recognizes that the combination proposed by the Examiner cannot anticipate or render 
obvious the recitations as set forth in amended independent Claim 37. Accordingly, 
reconsideration and withdrawal of this rejection of Claim 37 are respectfully requested. 
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Independent Claim SO 

The rejection of Claim 50 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Olden, Conklin, Krumel, Zhang, Ji, Farrow, and Bernhard references, 
individually or in view of each other, fail to describe, teach, or suggest the combination of: (1) 
identifying a plurality of data signatures relevant to computer security; (2) designating an alert 
condition value to each data signature based on (3) each data signature itself and (4) contextual 
infoimation associated with the data signature, (5) the contextual information comprising at least 
one of (5a) an application layer data field type used to encapsulate the data signature and (5b) an 
application layer protocol type used to transmit the data signature, (6) the alert condition value 
indicating a security risk level relative to different data signatures and (7) relative to other 
identical data signatures associated with different contextual information; (8) creating a table 
comprising data signatures, contextual information, and alert condition values; (9) identifying a 
data signature encapsulated in an application layer data field directed at a target using an 
application layer protocol; (10) evaluating a context of the data signature by one of: (10a) 
reviewing the application layer data field type; (10b) reviewing the application layer protocol 
type; and (10c) comparing the evaluated context of the data signature to the table; (11) 
detaining whether said data signature poses a threat based on said context of said data 
signature; and (12) assigning an alert condition value to the data signature based on (13) the 
comparison of the context to data in the table, as recited in amended indepeudent Claim 50. 

Similar to the analysis of independent Claim 1, the Examiner's proposed combination of 
references fails to address the specifics of evaluating a context of a data signature by comparing 
the data signature to a table comprising contextual information, as recited in amended 
independent Claim 50. 

In light of the differences between Claim 50 and the Gleichauf, Vaidya, Olden, Conklin, 
Krumel, Zhang, Ji, Farrow, and Bernhard references mentioned above, one of ordinary skill in 
the art recognizes that the combination proposed by the Examiner cannot anticipate or render 
obvious the recitations as set forth in amended independent Claim 50. Accordingly 
reconsideration and withdrawal of this rejection of Claim 50 are respectfully requested. 
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Independent Tlaim Sfi 

The rejection of Claim 56 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Olden, Conklin, Krumel, Zhang, Ji, Farrow, and Bemhard references, 
individually or in view of each other, fail to describe, teach, or suggest the combination of; (1) 
identifying a plurality of data signatures relevant to computer security; (2) designating a relative 
alert condition value to each data signature based on (3) each data signature itself and (4) 
contextual information associated with the data signature, (5) the contextual information 
comprising at least one of (5a) an application layer data field type used to encapsulate the data 
signature and (5b) an application layer protocol type used to transmit the data signature, (6) the 
relative alert condition value indicating a security risk level relative to different data signatures 
and (7) relative to other identical data signatures associated with different contextual 
information; (8) creating a table comprising contextual infonnation, data signatures, and relative 
alert condition values; (9) monitoring a plurality of data transmissions at an applications layer 
level between a suspect and a target (10) to identify one or more data signatures, (1 1) said data 
transmissions indicating a current state of communication between said suspect and said target; 
(12) evaluating contextual information related to each data signature by (13) comparing the 
contextual information and data signatures to the table; (14) evaluating a likelihood that said 
target is under attack based on (15) the contextual information of one or more data signatures of 
said transmissions and (16) said current state of communication; and (17) assigning a relative 
alert condition value to the data signature based on (18) the comparison of the contextual 
information to data in the table, as recited in amended independent Claim 56. 

Similar to the analysis of independent Claim 1, the Examiner's proposed combination of 
references fails to address the specifics of evaluating a context of a data signature by comparing 
the data signature to a taUe comprising contextual information, as recited in amended 
independent Claim 56. 

In light of the differences between Claim 56 and the Gleichauf, Vaidya, Olden, Conklin, 
Krumel, Zhang, Ji, Farrow, and Bemhard references mentioned above, one of ordinary skill in 
the art recognkes that the combination proposed by the Examiner cannot anticipate or render 
obvxous the recitations as set forth in amended independent Claim 56. Accordingly 
reconsideration and withdrawal of this rejection of Claim 56 are respectfully requested 
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Dependent Claims V4 6-13. 16-24. 26- 36. 38-40. 42-49 , 52-55. and 57 

The Applicant respectfully submits that the above-identified dependent claims are 

allowable because the independent claims from which they depend are patentable over the cited 

references. The Applicant also respectfully submits that the recitations of these dependent 

claims are of patentable significance. 

In view of the foregoing, the Applicant respectfully requests that the Examiner withdraw 

the pending rejections of dependent Claims 3-4, 6-13, 16-24, 26-36, 38-40, 42-49, 52-55, and 57. 

CONCLUSION 

The foregoing is submitted as a full and complete response to the Final Office Action 
mailed on May 13, 2005. The Applicant and the undersigned thank Examiner Nalven for 
consideration of these remarks. The Applicant has amended the claims and has submitted 
remarks to traverse rejections of Claims 1-57. The Applicant respectfully submits that the 
present application is in condition for allowance. Such action is hereby courteously solicited. 

If the Examiner believes that there are any issues that can be resolved by a telephone 
conference, or that there are any formalities that can be corrected by an Examiner's amendment, 
please contact the undersigned in the Atlanta Metropolitan area (404) 572-2884. 



Respectfully submitted, 




StevpfiV. Wigmore 
Re/ No. 40,447 



May 25, 2006 
King Sc. Spalding LLP 
191 Peachtree Street, N.E. 
Atlanta, Georgia 30303-1763 
telephone: (404) 572.4600 
K&S File No. 05456-105035 
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